[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Dear OBFS4 bridge operators, please enable timing and packet-size obfuscations to help clients facing timing analysis attacks.
- To: George Hartley <hartley_george@xxxxxxxxx>
- Subject: Re: [tor-relays] Dear OBFS4 bridge operators, please enable timing and packet-size obfuscations to help clients facing timing analysis attacks.
- From: pasture_clubbed242--- via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Sep 2024 20:09:23 +0000
- Arc-authentication-results: i=1; mail.protonmail.ch
- Arc-message-signature: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1727122169; c=relaxed/simple; bh=i7VbQN/+uo8EDOVpxkhRJZX9loz4vUWP6gheRjhRmWk=; h=Date:Subject:In-Reply-To:From:To:Cc:References; b=OPGl54WomPUFPDgdhWRKQ4AQcWLuS2wvgp/DjP+3H1PwIOvUJl7VvPDKg4l8rG7czgUnsYIjuShDYfA8RDkIEGXkY4g9S+VyhCA+RDCl7MOvt4v4TrExBEMqa/jPR0DH0atHwuvj8uKSMIH2uaNa+FopZF8j1r1LSGZOqCcxKcmb9Jim58tKeV96Cb5m2Xgk8Dx1FlNq67S2CczVYI03+MX6UZfrbYft60tjMUSlsAYuRngxSwusOWXnQUvRc44i6Fx440DGna7OXMlnwRs9wAeTiQ/Rnc+iVNxku7V32VO54f0OtRakit4of00xL4UEXShyhnUWqjGOgMiPVEhf+Q==
- Arc-seal: i=1; a=rsa-sha256; d=simplelogin.co; s=arc-20230626; t=1727122169; cv=none; b=iv5d3Zy676BzRbfYMMItzbENPphPVfcgbVX5ft5gptptsvTje7Nkr8WqBV2q690N7ED3js5XH8nsg9OTtp2a9sjAeeHHGV70ZopAdN/LUfQEnAEx/HKNCk0mMWXNTDRV4zDz+CV7kplVkyRQ4o2RNO4NBnSUgJrFgBHH5uejoD64Y2Wv5wOb1dsE1yD1k9byY73JF5GSs8rvcggbmg0z82lxEiUy2H9jq6vlvYXaSObrgBwO6meAk4SmrFU4lH+RlnhppyezN9u64PDE0mwiWakptmdn77C4ANuGENq2jPfSyc9arlyJXRf4ZgzzSIH3X9mRjwrYMW5NAHrrVUoV6A==
- Cc: pasture_clubbed242@xxxxxxxxxxxxxxx, tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Mon, 23 Sep 2024 22:12:50 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1727143964; bh=u7emhye9XX8PMN7Uv5tfSw4MRgHxLBCt2A6kP1Giby4=; h=Date:In-Reply-To:To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=H5RjAIE5SSctkh4hEDi3u72TrIKbnWXGRHSaHSsTqfLhw+XyfcBtYASs27fIBjwjR f3rfnlM8iE2vJRyFr8IleNTRIa74GYfAG19moLQEOzOaf1T+myCEylTVVePiLats0C BGSxeKG3/HSTswrLqSUI5r0mN767FBTUn40G8KPiBf120UnnIPfS7uFhJb/m0eKj7w UnBY9GLc4giaf/nvCT9B0E+Ox6REBB6cz3oQsoU8xwMHffcuD8gsve9ORDuPalxFYV 6j+AbEEwINKZ1Vr9sX/bMt74Cco7UvtvDHPwZZw9n0o4NV/S4XV5gAho9nZiHDZIed Ybt39ob4/ubVA==
- In-reply-to: <nuew5EBG9Uq4D4WcYGkbRRkG2ETzr-wefn_BbzrCJ0te6Y73a6eZbzyJdTntt2kpwwjYvbnmulqfTrAi4Zu0FXo4-_zEjPCHkmoUTLJRWrw=@proton.me>
- List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
- List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
- List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
- List-post: <mailto:tor-relays@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
- References: <nuew5EBG9Uq4D4WcYGkbRRkG2ETzr-wefn_BbzrCJ0te6Y73a6eZbzyJdTntt2kpwwjYvbnmulqfTrAi4Zu0FXo4-_zEjPCHkmoUTLJRWrw=@proton.me>
- Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
Out of curiosity, can any other options be passed with ServerTransportOptions besides iat-mode?
I could only find this article saying there is a 'cert=' option, which initially appear useful for Tor.
https://hamy.io/post/000d/how-to-hide-obfuscate-any-traffic-using-obfs4/
Thank you
On Monday, September 23rd, 2024 at 6:15 AM, George Hartley via tor-relays - tor-relays at lists.torproject.org <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:
> Hello Tor community,
>
> this e-mail applies to you if you are running an obfs4 (now known under the name lyrebird) bridge or want to do so in the future.
>
> Some recent posts on this list has shown that traffic timing analysis can be used to locate a users or onion services guard nodes or bridges. This is not really something new.
>
> For bridge users, there is a way to try to protect themselves against this, but your bridge configuration must support it.
>
> By enabling iat-mode on your obfs4 /lyrebird bridge, then maybe DPI (Deep Packet Inspection) hardware can sometimes be defeated either entirely, or at least the process of tracking users can be slowed down.
>
> OBFS4/Lyrebird support two times of traffic obfuscation:
>
> > ServerTransportOptions obfs4 iat-mode=1
>
>
> This will make your bridge send MTU sized packets, in order to make
> true packet size analysis harder.
>
> There is also what the author of obfs4/Lyrebird called "paranoid mode":
>
> > ServerTransportOptions obfs4 iat-mode=2
>
> For each write, a variable length packet will be sent, which will result
> in both making true packet size and round trip time analysis harder.
>
> If your bridge is distributed by BridgeDB, the next time someone receives
> a batch of bridges with your bridge in it, the bridge-line will have the iat-mode variable set to the one
> you set on your bridge server.
>
> Your bridge will still work even if you enable these defenses and a user chooses
> to set iat-mode to 0 in his bridge line.
>
> There is a small performance penalty for both mode 1 and 2, but nothing very severe.
>
> I believe this, along with Vanguards, and so on, is needed to keep users and services somewhat secure.
>
> Let me know what you think.
>
> - George
>
>
>
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays